GlobalProtect transparent upgrade not updating clients automatically when portal and gateway are hosted on different IP addresses but on the same Palo Alto Networks Firewall

GlobalProtect transparent upgrade not updating clients automatically when portal and gateway are hosted on different IP addresses but on the same Palo Alto Networks Firewall

3073
Created On 10/11/21 15:03 PM - Last Modified 05/23/25 20:47 PM


Symptom


  • GlobalProtect transparent upgrade fails to upgrade for certain users when the portal and gateway IP addresses are using different IP addresses but hosted on the same Palo Alto Networks Firewall.
  • Error messages are  seen on PanGPA logs as below.
(T10372) 08/26/20 08:04:37:111 Error( 298): CPanHTTPSession::SendRequest: WinHttpReceiveResponse failed with error 12152.
(T10372) 08/26/20 08:04:38:127 Error( 121): CPanURLDownload::DownloadURLToFile - ERROR_WINHTTP_INVALID_SERVER_RESPONSE received, retry = 1, sleep time =1000
(T10372) 08/26/20 08:04:51:" "8:14:18:917 Error( 362): CPanHTTPSession::DownloadData: WinHttpQueryHeaders failed with error 12019.
(T7924) 08/26/20 08:14:18:917 Error( 168): DownloadURLToFile: cancel download
(T7924) 08/26/20 08:14:18:917 Info (1062): DownloadProc: download file failed. 

Environment


  • Palo Alto 5020 Series firewall.
  • PANOS-8.1.15 or higher
  • GlobalProtect 

Cause


Since the portal and gateway are hosted on different IP addresses, the gateway communicated to the portal through a tunnel. A "No NAT" rule is required to allow the connection.

Resolution


Create a no NAT rule for GlobalProtect subnet as source IP and under destination select the GlobalProtect portal IP address.

 

Additional Information


How to create a no NAT rule
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LyQCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language